CMPUT 333, Assignment 1, Winter 2019

(sliding part - 25%)

University of Alberta / Department of Computing Science

Instructor: Ioanis Nikolaidis (nikolaidis@ualberta.ca)

(password cracking)

Part 4 (25%)

You are given hashed passwords. Each group is given a set of five Unix password hashes and a set of three MS Windows (NT) password hashes. You are to determine the passwords corresponding to those hashes.

The following "hints" must be exploited to reduce the search space.

  1. One Unix password is a hexadecimal number
  2. One Unix password is a French word
  3. One Unix password is a leet-transformed English word
  4. One Unix password is a mangled name of a triathlete
  5. One Windows password is an English word
  6. One Windows password is the name of a Canadian novelist

The mangling of the triathlete name is performed by introducing a connector (can be $, %, *, or _) between first and last name. Each component of the name (first name and last name) are transformed separately with respect to character capitalization. There are three options for each name component capitalization: all letters in lower case, all letters in upper case, first letter upper case with the rest lower case. The capitalization strategy for the first component (first name) can be different from the capitalization strategy applied to the second component (last name).

The leet-transformed English word is a word in which exactly two characters (two different characters) have been transformed to leet equivalent.

The Canadian novelist names are first name (first letter capitalized, the rest lower case) followed by last name (first letter capitalized, the rest lower case). There is no connector or white space between first and last name.

Tools

The highly recommended tool for the job is "John-the-Ripper" (https://www.openwall.com/john/) but because of some extensions (and lots of user-contributed code) you are probably better served by the community version of the same tool maintained at a github repository (https://github.com/magnumripper/JohnTheRipper).

The requirements of the assignment are to provide fully documented answers for the following:

  1. Present the mangling rules you used in each case to control the search carried out by John-the-Ripper
  2. Present the time of execution for breaking each password separately (using your Linux Cybera VM)
  3. Present the process and tools you used to collect relevant information (e.g., novelist names, etc.)

Brute force cracking can work well, but it does not result in full marks. Also, ensure that you indicate exactly which version of John-the-Ripper you used and any exceptional compilation flags you may have used.

Deliverables

Only one of the group members need to submit on behalf of the entire group (in the event of more than one submission, the last one will be considered). Your report should include answers to the questions and should cite any resources that you used to answer the questions. By default it is assumed that all group members equally contribute to the assignment. If you need to deviate from this model of cooperation, explain why and indicate who was responsible for what. There is no restriction to the language you can use for programming as long as you can provide the instructions of how to run any and all code in the CS VM or the Cybera VM you were provided. Your report (in plaintext, markdown, or pdf format) to address the questions raised in this assignment should be submitted as a single file accompanying your results, source code, supporting files, etc.

(This is the sliding part of Assignment 1 and will be submitted separately from the non-sliding part by the deadline for the non-sliding part of Assignment 2.)


Thursday, February 8, 2019